WebApp Scanning Throwdown!

Important Follow-up!

I have to apologize for errors in my original article. I missed a few findings in some of the reports, and mis-read a few items. Just to make this absolutely clear, errors in analysis of the results are my own fault, not a reflection of the products. And as stated, the configurations used were not ideal.

Please visit the downloads section for a spreadsheet providing the vulnerabilities in a matrix format and which tools identified them. Ultimately, there’s not a lot of difference though Nexpose did manage to get a couple that Nessus missed. All three tools missed quite a few more subtle vulnerabilities in the test site, however.

I feel the most important conclusions that can be drawn from this comparison are:

You can’t rely on one tool to find all your issues

You need to make sure your tools are properly configured for maximum results

No tool will find everything, but it will be a good indicator you may need to take something apart to look at it more closely

I’ve uploaded a text file giving detailed instructions on how to set-up a development environment under Windows for compiling the NessusWX client software. The document explains everything in excruciating detail and can be found in the files section. Have fun!

I’ve updated my article on performing an Annual Identity Check. It now includes details on requesting credit reports from Innovis, TeleCheck and more. And I re-verified all the phone numbers and website links. You can read the article here.

This Christmas my daughter got a Fisher-Price Kid Tough digital camera from a relative. It’s an adorable pink camera of modest resolution with a USB cable to use for downloading the pictures to your computer. And it comes with a free virus! Yay! Fortunately, my anti-virus software instantly detected the malware and quarantined it. And I long ago disabled all Auto Run support in Windows. If I hadn’t, the virus may have actually been able to run briefly. Malware needs only seconds to wreak havoc. In this case, it was a worm that installs backdoors, probably to open up a PC for eventual induction into a botnet. Attempts to contact Fisher-Price (or rather Mattel) have been fruitless, but I suspect this is a case of the factory where[…]